b'                               HIGHLIGHTS\n\n\n                        AUDIT REPORT\n\n\nWireless Local Area\nNetwork Deployment and\nSecurity Practices\n  April 24, 2014\n\n\n\n\n                   Report Number IT-AR-14-005\n\x0c                                                                        HIGHLIGHTS\n\n                                                                          April 24, 2014\n                                               Wireless Local Area Network Deployment\n                                                                 and Security Practices\nBACKGROUND:                                                 Report Number IT-AR-14-005\nThe U.S. Postal Service is committed to\nproviding a high quality, secure, and           WHAT THE OIG FOUND:\ncost-effective telecommunication                We determined the Postal Service\ninfrastructure that includes a wireless         implemented adequate security policies\nlocal area network. This network helps          and controls that effectively detect\nlink about 32,000 facilities and enable         unauthorized use of and access to its\ncommunication among hundreds of                 wireless network. Specifically, the Postal\nthousands of employees and systems.             Service has configured its wireless\nThe Postal Service is expanding its             controller devices and access points to\nwireless infrastructure to provide mobile       continuously monitor and detect\nconnectivity in delivery units to support       unauthorized access.\nnew applications and enhance its\ncompetitiveness in the package delivery         Our wireless network discovery scans at\nbusiness.                                       all five facilities we reviewed did not\n                                                identify any wireless access points that\nWireless technology offers multiple             we considered a threat to the network,\nbenefits such as increased mobility and         such as those installed without the\nease of use; however, wireless networks         network administrator\xe2\x80\x99s consent.\nare easy to compromise if improperly\ninstalled, increasing the risk that the         In addition, the current expansion plans\nconfidentiality, integrity, and availability    for the wireless infrastructure follow\nof information systems and data will be         established policy and security\ncompromised. Attackers who gain                 standards, and security procedures in\nunauthorized access to wireless                 place are effective to ensure new\nnetworks can obtain sensitive                   wireless technologies are authorized,\ninformation, conduct fraudulent                 evaluated, and assessed prior to\nactivities, harm networks and systems,          deployment.\nand disrupt operations.\n                                                WHAT THE OIG RECOMMENDED:\nOur objectives were to determine                Because the Postal Service has\nwhether the Postal Service has effective        effective security policies and controls\nsecurity policies and controls in place to      for managing its wireless network\ndetect unauthorized use of and access           infrastructure and technology, we are\nto its wireless network, and whether the        not making any recommendations.\nexpansion plans for its wireless\ninfrastructure follow established policy        Link to review the entire report\nand security standards. The vice\npresident, Information Technology,\nrequested this audit.\n\x0cApril 24, 2014\n\nMEMORANDUM FOR:            JOHN T. EDGAR\n                           VICE PRESIDENT, INFORMATION TECHNOLOGY\n\n\n\n\nFROM:                      John E. Cihota\n                           Deputy Assistant Inspector General\n                            for Financial and Systems Accountability\n\nSUBJECT:                   Audit Report \xe2\x80\x93 Wireless Local Area Network\n                           Deployment and Security Practices\n                           (Report Number IT-AR-14-005)\n\nThis report presents the results of our audit of the U.S. Postal Service\xe2\x80\x99s Wireless Local\nArea Network Deployment and Security Practices (Project Number 13BG021IT000).\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Sean D. Balduff, acting\ndirector, Information Technology, or me at 703-248-2100.\n\nAttachment\n\ncc: Corporate Audit and Response Management\n\x0cWireless Local Area Network Deployment and                                                                          IT-AR-14-005\n Security Practices\n\n\n                                               TABLE OF CONTENTS\n\nIntroduction ..................................................................................................................... 1\n\nConclusion ...................................................................................................................... 1\n\nWireless Local Area Network Security Policies and Controls .......................................... 2\n\nRecommendations .......................................................................................................... 3\n\nAppendix A: Additional Information ................................................................................. 4\n\n   Background ................................................................................................................. 4\n\n   Objectives, Scope, and Methodology .......................................................................... 5\n\n   Prior Audit Coverage ................................................................................................... 7\n\nAppendix B: Wireless Scan Analysis ............................................................................... 8\n\x0cWireless Local Area Network Deployment and                                                           IT-AR-14-005\n Security Practices\n\n\n\nIntroduction\n\nThis report presents the results of our audit of the U.S. Postal Service\xe2\x80\x99s Wireless Local\nArea Network (WLAN) Deployment and Security Practices (Project Number\n13BG021IT000). Our objectives were to determine whether the Postal Service has\neffective security policies and controls to detect unauthorized use of and access to its\nwireless networks and to determine whether the approved expansion plan for its\nwireless infrastructure follows established policy and security standards. The vice\npresident, Information Technology, requested we review the Postal Service\xe2\x80\x99s WLAN.\nSee Appendix A for additional information about this audit.\n\nThe Postal Service has an extensive data and voice telecommunication infrastructure\nthat links about 32,000 facilities and enables communication among hundreds of\nthousands of employees and systems. This infrastructure includes communication\nnetworks and organization-wide computing systems. The communication networks\ninclude WLAN, local area networks (LAN), Internet, 1 Intranet, 2 Extranet, 3 Virtual Private\nNetworks (VPN), 4 and all landline and wireless voice and data communication services.\n\nTo enhance its competitiveness in the package delivery business, the Postal Service\nimplemented the Delivery Unit Infrastructure Technology (DUIT) Program. 5 This\nprogram expands wireless network capabilities at delivery units to provide mobile\nconnectivity for several applications currently scheduled for deployment. Under this\nprogram, the Postal Service will install 18,857 wireless access points (AP) 6 at 11,857\ndelivery units. The expansion will provide key technologies necessary for successful\nimplementation of Delivery, Results, Innovation, Value and Efficiency (DRIVE) Initiative\n43, Build a World-Class Packaging Platform, and DRIVE Initiative 20, Achieve 100\nPercent Product Visibility.\n\nConclusion\n\nThe Postal Service has effective security policies and controls that detect unauthorized\naccess to its wireless network, 7 and the current expansion plans for its wireless\ninfrastructure follow established policy and security standards. 8 To provide network and\ndata security against unauthorized access and attacks, 9 the Postal Service\n1\n  A worldwide system of computer networks.\n2\n  A private network contained within an organization and only accessible by the organization\xe2\x80\x99s employees.\n3\n  A private network that shares part of an organization\xe2\x80\x99s information or operations with suppliers, customers, or\nvendors.\n4\n  VPN encrypts data sent through the network.\n5\n  Decision Analysis Report, DUIT Program, October 9, 2013.\n6\n  A device that allows wireless devices to connect to a network.\n7\n  Handbook AS-805, Information Security, Section 11, Network Security, dated May 2013.\n8\n  Handbook AS-805, Section 11, and Handbook AS-805-D, Information Security Network Connectivity Process, dated\nSeptember 2009.\n9\n  A network attack occurs when an attacker or hacker uses certain methods or technologies to use, corrupt, or steal\ndata for malicious purposes.\n                                                            1\n\x0cWireless Local Area Network Deployment and                                                                IT-AR-14-005\n Security Practices\n\n\nimplemented standardized configurations for its wireless network APs. To improve\nwireless network monitoring, the Postal Service implemented a\n                             that detects unauthorized access, unauthorized\nconfiguration changes, and other security incidents. Finally, to protect the network\ninfrastructure, the Postal Service has effective security policies in place to ensure new\nwireless technology is authorized, evaluated, and assessed before deployment.\n\nEffective security controls increase the probability the Postal Service will detect and\nprevent unauthorized access to its network that could impair the confidentiality, integrity,\nand availability of information systems and data.\n\nWireless Local Area Network Security Policies and Controls\n\nOur audit determined that controls over the wireless network and technology were\ngenerally in place and effective. Specifically:\n\n\xef\x82\xa7     Wireless networks and APs are configured to monitor and detect unauthorized use\n      and access. The Postal Service uses a                                       to\n      centrally manage and configure its wireless network and            Integrated\n      configuration templates are used to apply common and best-practice configuration\n      settings for encryption, authentication, authorization, and accounting.\n\n\xef\x82\xa7     We conducted wireless network scans at five facilities 13 to detect rogue APs. 14 We\n      identified     out of       total APs that were not on the approved inventory list. 15\n      After further analysis, we discovered that     of the unknown APs were\n\n                             We validated that the             were           an approved\n      Postal Service AP and did not pose a security threat. We analyzed the remaining\n          unknown APs and determined they were not rogue APs. For example, these\n      APs included mobile hotspots 18 and the APs of surrounding businesses. Therefore,\n      they did not pose a risk to the network infrastructure. See Table 1 for details of this\n      analysis.\n\n\n\n\n    Raleigh, NC, Processing and Distribution Center (P&DC);\n                          St. Paul, MN, P&DC; Minneapolis, MN, P&DC, and the\n\n   Any wireless AP that has been installed on a network\xe2\x80\x99s wired infrastructure without the consent of the network\nadministrator or owner.\n15\n   Inventory listing of all APs connected to the Postal Service network as of November 25, 2013.\n16\n   A secondary Wi-Fi hotspot created within a physical AP.\n17\n   The ability of a computer application or product to continue to function well when its size or volume is changed to\nmeet a user\xe2\x80\x99s needs.\n18\n   A portable cellular data modem that is combined with a Wi-Fi router.\n\n\n                                                           2\n\x0cWireless Local Area Network Deployment and                                                               IT-AR-14-005\n Security Practices\n\n\n\xef\x82\xa7    The Postal Service employs continuous monitoring technology and procedures to\n     ensure the wireless network is secure. This technology includes\n                                                . Larger Postal Service facilities have\n     dedicated APs configured for wireless intrusion detection. Smaller facilities employ\n     APs that\n                       his technology scans and analyzes the wireless network to detect\n     unauthorized access and identify incidents for investigation and resolution by\n     Telecommunication Services. 19\n\n\xef\x82\xa7    Based on limited testing of completed sites, 20 we determined that\n     Telecommunication Services ensured wireless technologies installed as part of the\n     DUIT Program were authorized, evaluated, and assessed prior to deployment and\n     were in compliance with established security policies and procedures. As of\n     February 11, 2014, wireless installation was completed for 2,769 of 11,857 delivery\n     units in the program This installation supports several applications scheduled for\n     deployment:\n\n     o\n     o\n     o\n\nTelecommunication Services implemented the WLAN tracking database to manage the\nwireless infrastructure expansion under the DUIT Program. The database contains the\ndeployment status for each application as well as site survey data 24 for individual sites,\nwhich allows Telecommunication Services to track the progress of each individual\nprogram. See Table 2 for the DUIT Program status.\n\nRecommendations\n\nSecurity controls over the Postal Service wireless network infrastructure are in place\nand effective; therefore, we are issuing this report without any recommendations. The\nPostal Service informally reviewed a draft of this report and had no comments or\nconcerns.\n\n\n\n\n19\n   A part of the Enterprise Access Infrastructure group, which manages all access to information technology\ninfrastructure, provides operational support, and provides deployment and strategic direction for the Postal Service.\n20\n   Selected sites were post offices located in Arlington, WA; Menomonee Falls, WI; Long Point, TX; North\nShepherd, TX; and Watsonville, CA.\n21\n   An overhead camera-based solution that provides hands-free scanning, image capture, and revenue protection\nfunctionality at larger delivery units.\n22\n   DSS consists of an Advanced Computing Environment (ACE) laptop paired with a ring scanner and Bluetooth\nheadset used at smaller delivery units.\n23\n   A mobile device used to process simple transactions for customers in the lobby rather than at the retail counter.\n24\n   A wireless site survey is part of the review and approval process. Site surveys are performed to obtain maximum\nbenefits of the wireless devices and maintain appropriate security. The survey results are used to place APs, offer\nchannel sections, etcetera.\n\n\n                                                           3\n\x0cWireless Local Area Network Deployment and                                                          IT-AR-14-005\n Security Practices\n\n\n                                Appendix A: Additional Information\n\nBackground\n\nWireless networks allow organizations to extend their LANs to support a mobile\nworkforce. Devices with wireless capabilities such as laptops and smart phones are\nable to communicate and use computing resources without physically connecting to a\nnetwork. WLANs are groups of wireless networking devices within a limited geographic\narea that exchange data through radio communications. WLANs are an extension of the\nexisting wired network and must permit secure, encrypted, authorized communication\nwith access to data, communication, and business services as if connected to the LAN.\n\nWLANs must:\n\n\xef\x82\xa7    Maintain accessibility to resources while employees are not connected to a wired\n     network.\n\n\xef\x82\xa7    Secure the enterprise from unauthorized, unsecured, or rogue APs.\n\n\xef\x82\xa7    Extend the full benefits of integrated network services 25 to nomadic users. 26\n\n\xef\x82\xa7    Segment authorized users and block unauthorized users.\n\n\xef\x82\xa7    Easily deploy, operate, and manage central or remote APs.\n\n\xef\x82\xa7    Contain wireless threats, enforce security policy compliance, and safeguard\n     information through enhanced security services such as WLAN Intrusion Prevention\n     Systems and Intrusion Detection Systems.\n\n\xef\x82\xa7    Simultaneously track thousands of Wi-Fi and active Radio Frequency Identification 27\n     devices from directly within the WLAN infrastructure for critical applications (location\n     services).\n\n\xef\x82\xa7    Provide customers, vendors, and partners with easy access to wired and wireless\n     LANs (guest access).\n\nOne of the primary components of a WLAN is an AP that transmits and receives data.\nThese APs allow wireless devices to connect to a wired network using Wi-Fi or related\nstandards, and can serve as the interconnecting point between the WLAN and a fixed\nwired network. In contrast, a rogue AP is any Wi-Fi access point installed on a network\nbut not authorized for operation on that network, and not under network administrator\nmanagement. Rogue APs do not conform to WLAN security policies and can allow\n\n25\n   Integrated network services support data, voice, and different networking protocols.\n26\n   Nomadic users are computer users who can freely move in an environment without carrying a computing device,\nusing the devices present in the environment.\n27\n   A technology that incorporates the use of electromagnetic or electrostatic coupling in the RF portion of the\nelectromagnetic spectrum to uniquely identify an object.\n\n\n                                                        4\n\x0cWireless Local Area Network Deployment and                                                                IT-AR-14-005\n Security Practices\n\n\nanyone with a Wi-Fi device to connect to a network, bypassing the normal security\npolicies.\n\nTelecommunication Services is responsible for managing the Postal Service network.\nNetwork administrators and engineers own all network components and oversee all\nconnections to the network. Telecommunication Services uses the\n                            for network security, deployment, management, and control\nissues. This solution integrates      to automate wireless network planning,\nconfiguration, and management functions.\n\nAnother tool in the unified wireless network solution is the               which\nallows Telecommunication Services to monitor network activity and provide real-time\nreporting for network statistics and alarms. 29\n\nObjectives, Scope, and Methodology\n\nOur audit objectives were to determine whether the Postal Service has effective security\npolicies and controls in place to detect unauthorized use and access to its wireless\nnetworks, and to determine whether the current approved expansion plan for its\nwireless infrastructure follows established policy and security standards. To accomplish\nour objectives, we:\n\n\xef\x82\xa7   Interviewed Postal Service officials in Telecommunication Services and members of\n    the Computer Incident Response Team (CIRT) 30 to identify policies and procedures\n    for managing, configuring, and monitoring a wireless network infrastructure and its\n    components.\n\n\xef\x82\xa7   Judgmentally selected five facilities at which to conduct wireless network scans to\n    detect unauthorized APs and devices. We conducted the scans using the\n                                                       . 31 The five facilities we selected\n    were the:\n\n    o Raleigh, NC, P&DC.\n    o                    .\n    o St. Paul, MN, P&DC.\n    o Minneapolis, MN, P&DC.\n    o                  .\n\n\n\n\n   An event is an occurrence or detection of some condition in and around the network. An alarm is a\nresponse to one or more related events. If an event is considered of high enough severity (critical, major, minor, or\nwarning), the       raises an alarm until the resulting condition no longer occurs.\n30\n   CIRT is responsible for providing an immediate and effective response to computer security incidents as they\noccur.\n\n\n\n\n                                                           5\n\x0cWireless Local Area Network Deployment and                                                                 IT-AR-14-005\n Security Practices\n\n\n\n\xef\x82\xa7      Obtained an inventory of approved wireless APs and compared data for each of our\n       sampled facilities.\n\n\xef\x82\xa7      Identified and analyzed        unknown APs that were not on the approved inventory\n       list and verified that they were not a threat to the Postal Service network.\n\n\xef\x82\xa7      Reviewed standard configuration settings for wireless APs and workgroup bridge. 32\n\n\xef\x82\xa7      Reviewed the       wireless network security incidents33 investigated by the CIRT\n       that occurred between October 1, 2013, and February 18, 2014; and verified\n       procedures for monitoring, detecting, and documenting security incidents.\n\n\xef\x82\xa7      Obtained documentation for the 2,796 sites completed under the wireless\n       infrastructure expansion project. Selected the five completed sites 34 under the DUIT-\n       PASS Phase 2 and verified that wireless technologies were authorized, evaluated,\n       and assessed prior to deployment.\n\nWe conducted this performance audit from August 2013 through April 2014, in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\nWe assessed the reliability of wireless networks inventory data by performing scans of\nwireless networks, reviewing and analyzing the resultant data, and interviewing\nknowledgeable officials. We determined that the data were sufficiently reliable for the\npurposes of this report.\n\n\n\n\n32\n     A small stand-alone unit that can provide a wireless infrastructure connection for ethernet-enabled devices.\n\n\n\n\n     Arlington, WA; Menomonee Falls, WI; Long Point, TX; North Shepherd, TX; and Watsonville, CA.\n\n\n                                                             6\n\x0cWireless Local Area Network Deployment and                                     IT-AR-14-005\n Security Practices\n\n\n\n\nPrior Audit Coverage\n\nThe U.S. Postal Service Office of Inspector General (OIG) did not identify any prior\naudits or reviews related to the objective of this audit.\n\n\n\n\n                                             7\n\x0cWireless Local Area Network Deployment and                                                  IT-AR-14-005\n Security Practices\n\n\n\n                              Appendix B: Wireless Scan Analysis\n\n                              Table 1.\n\n                           Postal                           Postal\n                           Service          OIG             Service        Total\n                          Approved        Scanned           Virtual      Authorized    Total\n     Facility               APs             APs              APs            APs     Unknown APs\nRaleigh P&DC\n\n\nSt. Paul P&DC\nMinneapolis P&DC\n\n\nTotals\nSource: Wireless network scans conducted October through December 2013, and Telecommunication Services AP\nInventory listing.\n\nOur scans identified        APs at the five facilities. This total includes    approved\nAPs and      that were not in inventory. Based on further analysis of the            APs, we\nidentified           APs that increased the total authorized APs to         . Our final\nanalysis determined that none of the remaining          APs we discovered were attached\nto the network; therefore, we did not identify any rogue APs that were a threat to the\nnetwork.\n\n            Table 2. Status of Delivery Unit Wireless Capability Deployment\n\n                                            Programs\n Status of AP\n Installations                                                                 Totals     Percentage\nCancelled                  54        73                10                  25     162           2.8%\nCompleted                 539     1,163                 5         50    1,012   2,769          48.0%\nException                            19                                            19           0.3%\nIn Progress                          15                 4                    1     20           0.3%\nNew                               1,891              323                        2,214          38.4%\nOn Hold                              28                68                          96           1.7%\nPending                              15                 1                          16           0.3%\nRescheduled                          27                13                          40           0.7%\nScheduled                           371                56                         427           7.4%\n         Totals          593      3,602              480           50    1,038  5,763         100.0%\n    Percentage         10.3%     62.5%              8.3%        0.9%    18.0% 100.0%\nSource: WLAN Project Tracking Report dated February 11, 2014.\n\n\n\n\n                                                      8\n\x0cWireless Local Area Network Deployment and                                     IT-AR-14-005\n Security Practices\n\n\n\n\nAccording to the DUIT program, 18,857 wireless APs will be installed in delivery units to\nsupport the                           applications. This connectivity is capable of\nsupporting multiple devices at the same time and providing adequate bandwidth for the\napplications listed. These APs will be centrally managed and supported, and designed\nto allow only Postal Service devices to connect to the network infrastructure. Once AP\ninstallation is complete under the DUIT program, any future applications that need\nwireless capability will have it.\n\n\n\n\n                                             9\n\x0c'